Fwd: pkinit SAN and EKU checking

Henry B. Hotz hotz at jpl.nasa.gov
Mon May 14 20:09:43 EDT 2007

I expect that it will be common for the certs on a smart card to be  
issued by a different CA from the cert used by the KDC.

Certs issued by a KCA/KX509 service may or may not use the same CA as  
either of the above, though it seems more likely they (and any  
relevant TLS-protected services) would share CA's with the KDC than  
with the card issuers.

On May 14, 2007, at 4:32 PM, krbdev-request at mit.edu wrote:

> Date: Mon, 14 May 2007 17:12:04 -0500
> From: "Douglas E. Engert" <deengert at anl.gov>
> Subject: Re: Fwd: pkinit SAN and EKU checking
> To: Kevin Coffman <kwc at citi.umich.edu>
> Cc: MIT Kerberos Developers <krbdev at mit.edu>
> Message-ID: <4648DEB4.90203 at anl.gov>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Kevin Coffman wrote:
>> Sam suggested I forward this here.  Comments/suggestions welcome.
> What about mixed environments where some certs (may be issued by
> a local CA) and some others are issued by some external CA.
> So are you sans and eku checking based on the issuer CA?
> Examples could be using PIV smart cards issued by federal
> government for a small number of outside users, with most
> users using soft certs issued by local site.
> It looks like external could always be used if needed.
> but then all uses would have to be handled that way.

More information about the krbdev mailing list